1:19 p.m.
Having trouble on an Ubuntu 16.04 (Xenial) box with sssd1.13.4-1ubuntu1.12.
The backend goes offline and authentications fail. We have debug_level=9. We expect the
server to be talking with one of three DCs in its site.
The Forrest DCs are behind a firewall for us. Any ideas on what may be the cause and the
cure?
Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child
responded: 0 [FILE:/var/lib/sss/db/ccache_OUR.DOMAIN.COM], expired on [1554479058]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x1000): the
connection will expire at 1554443958
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0100): Executing
sasl bind mech: gssapi, user: OURHOST$
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information (Decrypt
integrity check failed)
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0080): Extended
failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Decrypt integrity check failed)]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [_be_fo_set_port_status] (0x8000):
Setting status: PORT_NOT_WORKING. Called from:
../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0100):
Marking port 389 of server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400):
Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not
working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400):
Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not
working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_handle_release] (0x2000):
Trace: sh[0x2ee3c10], connected[1], ops[(nil)], ldap[0x3012d40], destructor_lock[0],
release_memory[0]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [remove_connection_callback]
(0x4000): Successfully removed connection callback.
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Going
offline!
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Enable
check_if_online_ptask.
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_enable] (0x0400): Task
[Check if online (periodic)]: enabling task
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_schedule] (0x0400): Task
[Check if online (periodic)]: scheduling task 62 seconds from now [1554443120]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_run_offline_cb] (0x0080): Going
offline. Running callbacks.
Config:
[sssd]
config_file_version = 2
domains = our.domain.com
services = nss, pam, pac
debug_level = 9
reconnection_retries = 3
[pac]
[nss]
debug_level = 9
[pam]
debug_level = 9
[domain/our.domain.com]
debug_level = 9
id_provider = ad
auth_provider = ad
ad_site=SITE
access_provider = ad
ldap_id_mapping = False
ad_gpo_access_control = permissive
ad_access_filter=DOM:our.domain.com:(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-NOC_Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-SOS_Linux_Access,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SRV-ourhost_LocalAdmins,OU=Local
Servers,OU=Groups,dc=our,dc=domain,dc=com)))
[https://cdn.f5.com/webcommon/email-signature/images/f5-logo-rgb-30x30.jpg...
Jay McCanta | Principal Systems Administrator
D +1 (206) 272-7998 M +1-206-434-1080
